[cisco-voip] rights needed for AD integration for ccm6

Jonathan Charles jonvoip at gmail.com
Mon Jan 14 11:02:14 EST 2008 

Is there a requirements doc I can show them, if I am going to request
a modification of their DNS/AD setup?



Jonathan

On Jan 14, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
> Not sure what to tell you.  Can you try setting the search base to
> something other than the root of the domain?
>
> All you can do is get a sniffer capture and show them what we are
> searching for and how their ldap server is responding.
>
> -Ryan
>
>
> On Jan 11, 2008, at 5:51 PM, Jonathan Charles wrote:
>
> The customer is saying that forestdnszones is in a different domain...
> (cproot.net)...
>
>
>
>
> Jonathan
>
> On Jan 11, 2008 8:52 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
> >  With Win2k3 AD if you make an ldap search with the search base set
> > to the
> > root of the domain you will always get a referral for 3 hosts;
> > cn=Configuration, dc=domain, dc=com
> > dc=forestdnszones, dc=domain, dc=com
> > dc=domaindnszones, dc=domain, dc=com
> >
> > From what I've gathered troubleshooting a bijillion of these
> > referral issues
> > these DNS entries usually have all DCs in the domain listed.   Most
> > of the
> > time if you get a 2nd nic enabled on a DC with DHCP enabled but not
> > reachable the server grabs the auto-assigned Windows DHCP address
> > and this
> > gets stuck into DNS.  CM (4.x at least) had a nasty habit of
> > picking the one
> > address out of all possible DNS results and using it to follow the
> > referral.
> > This causes all kinds of ldap issues.
> >
> > This is why a sniffer capture is so helpful when troubleshooting ldap
> > issues.  I've found that customer's AD folks tend to be quite
> > protective and
> > don't like to even think of there being a problem on their end
> > until I can
> > show them exactly what's going wrong in a sniffer capture.
> >
> >
> >
> >
> > -Ryan
> >
> >
> > On Jan 10, 2008, at 3:06 PM, Joel Perez wrote:
> > Gotcha,
> >
> > Got it now, thought it was some new crazy feature of ccm6.
> >
> > Thanks,
> >
> > Joel P
> >
> >
> > On 1/10/08, Scott Voll <svoll.voip at gmail.com> wrote:
> >>
> >> planetcrazy.net was in the trace file.  AD uses the forestdnszones
> >> and
> > domaindnszones as part of the AD / dns sync.
> >>
> >> Scott
> >>
> >>
> >>
> >> On Jan 10, 2008 11:06 AM, Joel Perez <tman701 at gmail.com> wrote:
> >>
> >>>
> >>> Pardon my ignorance guys, but what does his issue have to do with
> > 'planetcrazy.net', ' forestdnszones.planetcrazy.net', and
> > 'domaindnszones.planetcrazy.net ?
> >>>
> >>> Im just curious.
> >>>
> >>> Thanks,
> >>> Joel P
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On 1/10/08, Scott Voll <svoll.voip at gmail.com > wrote:
> >>>>
> >>>> and make sure all are routable. and close.  we had issues with a DC
> > going offsite over slower link.
> >>>>
> >>>> Scott
> >>>>
> >>>>
> >>>>
> >>>> On Jan 10, 2008 6:47 AM, Jonathan Charles <jonvoip at gmail.com>
> >>>> wrote:
> >>>>
> >>>>> OK, I will try that tonight...
> >>>>>
> >>>>> Thanks...
> >>>>>
> >>>>>
> >>>>> Jonathan
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Jan 10, 2008 8:38 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
> >>>>>> Yes it does.
> >>>>>>
> >>>>>> Just guessing though it looks as if you've got referral issues,
> > just
> >>>>>> going from some of the errors.   Is this Win2k3 AD?  If so do an
> >>>>>> nslookup for ' planetcrazy.net', '
> > forestdnszones.planetcrazy.net', and
> >>>>>> ' domaindnszones.planetcrazy.net' and see if there are any bogus
> >>>>>> entries in any of them.
> >>>>>>
> >>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,
> > data
> >>>>>>> 0, 1 access points
> >>>>>>>         ref 1: 'planetcrazy.net '
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -Ryan
> >>>>>>
> >>>>>>
> >>>>>> On Jan 10, 2008, at 9:38 AM, Jonathan Charles wrote:
> >>>>>>
> >>>>>> Not that easy an option... wait...
> >>>>>>
> >>>>>> Doesn't CCM have a built in sniffer?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Jonathan
> >>>>>>
> >>>>>> On Jan 10, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
> >>>>>>> Go for a sniffer capture.  It's the easiest way to see what's
> > going
> >>>>>>> on.
> >>>>>>>
> >>>>>>> -Ryan
> >>>>>>>
> >>>>>>>
> >>>>>>> On Jan 9, 2008, at 7:31 PM, Jonathan Charles wrote:
> >>>>>>>
> >>>>>>> The sync is not working tho...
> >>>>>>>
> >>>>>>> I am getting these errors in the DirSync trace...
> >>>>>>>
> >>>>>>> 2008-01-09 14:11:42,451 ERROR
> >>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
> >>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:832) -
> >>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
> > Caught
> >>>>>>> NamingException
> >>>>>>> 2008-01-09 14:11:42,452 ERROR
> >>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
> >>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:833) -
> >>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
> >>>>>>> com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 -
> >>>>>>> 0000202B: RefErr: DSID-031005E2, data 0, 1 access points
> >>>>>>>         ref 1: ' planetcrazy.net'
> >>>>>>>
> >>>>>>>
> >>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr: DSID-031005E2,
> > data
> >>>>>>> 0, 1 access points
> >>>>>>>         ref 1: ' planetcrazy.net'
> >>>>>>>
> >>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2824)
> >>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
> >>>>>>> com.sun.jndi.ldap.LdapCtx.searchAux (LdapCtx.java:1808)
> >>>>>>> com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
> >>>>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search
> >>>>>>> (ComponentDirContext.java:368)
> >>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
> >>>>>>> (PartialCompositeDirContext.java:338)
> >>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
> >>>>>>> (PartialCompositeDirContext.java:321)
> >>>>>>> javax.naming.directory.InitialDirContext.search
> >>>>>>> (InitialDirContext.java:248)
> >>>>>>>
> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalEx
> >>>>>>> ac
> >>>>>>> t(DSLDAPSyncImpl.java:1193)
> >>>>>>>
> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
> >>>>>>> (DSLDAPSyncImpl.java:823)
> >>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
> >>>>>>> (DSLDAPSyncImpl.java:296)
> >>>>>>>
> >>>>>>> 2008-01-09 14:11:42,452 ERROR
> >>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
> >>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:325) -
> >>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[Run]
> >>>>>>> com.cisco.ccm.dir.dirsync.common.DSException
> >>>>>>> MESSAGE null
> >>>>>>>
> > com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
> >>>>>>> (DSLDAPSyncImpl.java:841)
> >>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
> >>>>>>> (DSLDAPSyncImpl.java:296)
> >>>>>>>
> >>>>>>>
> >>>>>>> I have no idea what they mean....
> >>>>>>>
> >>>>>>> And no users are being brought over...
> >>>>>>>
> >>>>>>>
> >>>>>>> Jonathan
> >>>>>>>
> >>>>>>> On Jan 9, 2008 3:34 PM, Craig Staffin < cmstaffin at gmail.com>
> > wrote:
> >>>>>>>> It just needs to be a member of Domain Users
> >>>>>>>>
> >>>>>>>> There are no special rights needed
> >>>>>>>>
> >>>>>>>> Craig
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On Jan 9, 2008 2:50 PM, Jonathan Charles < jonvoip at gmail.com >
> > wrote:
> >>>>>>>>>
> >>>>>>>>> So, what rights does the LDAP user need to AD for it to
> > sync...?
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Jonathan
> >>>>>>>>> _______________________________________________
> >>>>>>>>> cisco-voip mailing list
> >>>>>>>>> cisco-voip at puck.nether.net
> >>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Craig Staffin
> >>>>>>>> Craig at staffin.org
> >>>>>>>> (H) 262-437-7313
> >>>>>>>> (C) 262-613-6003
> >>>>>>> _______________________________________________
> >>>>>>> cisco-voip mailing list
> >>>>>>> cisco-voip at puck.nether.net
> >>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>> _______________________________________________
> >>>>> cisco-voip mailing list
> >>>>> cisco-voip at puck.nether.net
> >>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> cisco-voip mailing list
> >>>> cisco-voip at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-voip
> >>>>
> >>>
> >>>
> >>
> >>
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
> > _______________________________________________
> > cisco-voip mailing list
> > cisco-voip at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-voip
> >
>
>

More information about the cisco-voip mailing list